“GDPR, yes okay, but what does it mean for my business?”

07 February 2018

Jaco Cebula, CTO, Multrees Investor Services, gets down to the details on the coming regulation

It is hard to imagine there is anything left to say about the upcoming General Data Protection Regulation, because it has headlined consistently for months. Despite this, many remain unsure of its implications and the changes necessary to ensure compliance.  Our response is simple, you need to understand what the regulation means for your business, and then use it as an opportunity to demonstrate your firm’s robust approach to data governance.

It’s all about the data…

The GDPR – and the copious discussions surrounding it – is heavily focused on data. For financial services firms, the concept of high quality enterprise data, and the associated data governance should be no new thing. GDPR simply extends the scope of the enterprise data governance to include a wider range of personal data over and above standard financial metrics.

At Multrees, our clients rely on us to safeguard their data as well as that of their customers. We oversee thousands of investment accounts, with each one holding personal data, so we know a fair bit about the GDPR and the responsibility we all need to uphold.

For most businesses, the regulation will require a number of work streams to capture the following:

·        Identification categorisation of personal data – including all underlying application databases, unstructured data and HR systems.

·        Data providence – downstream and upstream analysis of the organisation’s data flows, both internal and external.

·        Rationale for holding data.

·        Mapping and retrieval of data, plus delivery mechanism – for example, an achievable goal may be to automate the Subject Access Request process from a downstream client, returning all data held across all system boundaries on demand.

·        How to handle the process for erasure or for subject access request – key point being that these should not be ‘new’ processes, but will need to be refreshed for GDPR.

·        How to report a data breach – clear understanding of responsibility, reporting mechanism, limitations of breach detection capability etc.

·        Marketing, CRM and HR databases – greater risk of sensitive data.

·        Upstream/ downstream clients and vendors.

This applies not just to customers and prospects, the regulation will impact internal HR data too. As seen with the final point above, businesses will need to assess whether their vendors are GDPR compliant. At Multrees, we know that our business can only move as fast as the slowest component in our process chain, and this includes our vendors. Ahead of the May deadline, 17 vendors will be assessed to ensure they are all compliant.

Multrees too will be subject to assessment as a vendor to all of our client firms, and will need to provide reassurance that we can respond in a timely fashion to regulatory requests. 

The EU GDPR will be enforced on the 25th May 2018